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ABSTRACT 



A method of automatic verification of personal identity is 
provided. The method includes the automatic generation of 
cue-response pairs and the allocation of such_cue-response^ 
pairs to authorized r^ople^^S^ag^of the iden tity of an 
diPpJicantraslmiM 

the cues from on e or more cue-re sponse pairs previously 
aJlocated^tolthe" authorized- person -to :an _ applicant and 
verifying replies entered by the applicant by comparing the 
replies with the responses in the cue-response pairs. A 
person can more easily remember cue-response associations 
than passwords. This knowledge may be tested by present- 
ing any of the cues to an applicant and asMng for the 
corcesponding response. In: this - rnanner, the present inven- 
tion enhances the level of securityof methods of automatic 
verificatiblfof-personal identity. 

15 Claims, 3 Drawing Sheets 
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METHOD OF AUTOMATIC VERIFICATION by changing the recognition method. If any recognition 

OF PERSONAL IDENTITY method using physical characteristics were to become 

widely used, it is likely mat interlopers would rapidly 

This is a continuation application of application Ser. No. develop methods of counterfeiting users' characteristics. If 

07/867,230, filed as PCT/GB90/01908, Dec. 7, 1990, now 5 * recognition method based on fingerprints became widely 

abandoned, for a METHOD OF AUTOMATIC VERIFICA- methods of constructing rubber fingers with counter- 

HON OF PERSONAL IDENTIT Y * eit P nnts wou ld soon become widely known. An actual or 

suspected breach of security would be serious because a user 

BACKGROUND OF THE INVENTION cannot change his fingerprints to thwart an actual or sus- 

0 pected interloper. To achieve a high level of security, 

1. Held of the Invention therefore, it would be necessary to use another recognition 
The present invention relates to a method of machine method as well. 

verification of personal identity. Machine recognition of a distinctive object in the user's 

o t-v c * L « i * j * ^ possession, such as a key or a magnetic card, is a widely 

2. Description of the Related Art used Jt suffers> however , from me obvious ^ad- 

In many endearours it is necessary for people to be able 15 vantage that the object may be stolen, found, borrowed, or 
to give evidence of their identity to a machine in a pre- counterfeited by an interloper. Mere temporary possession 
arranged manner so that the machine can identify them. For of an object is often not a sufficient proof of identity. This 
example, a machine may regulate people's access to money, method, like the previous method, should be used in con- 
Information, goods, a physical location, control of junction with another method if a high degree of security is 
equipment, or computational resources. Access to buildings 20 required. 

or safes, for instance, is often controlled by locks. Automatic The third category of recognition method relies on users 

cash-dispensing machines control people's access to money giving evidence of identity by demonstrating knowledge of 

in bank-accounts. Multi-user computer systems control peo- some confidential distinguishing information, 

pie's access to information and computational facilities. In Any such method consists of three parts: a means of 

all these applications a machine must, actively or passively, 25 generating such distinguishing information; a means of 

be able to identify those people previously authorized to allocating such information to users so that it can be used as 

have access, and it must be able to distinguish authorized evidence of identity on subsequent occasions; and a means 

users from unauthorized interlopers. of machine verification of a user's knowledge of the said 

The machine may identify each authorized person as a information in the course of machine verification of the 

particular individual, or it may identify only that a person is 30 user's identity. 

a member of a particular group of authorized people. One The verification of an applicant's knowledge of informa- 

person may have several different types of authorisation tion is carried out by means of an applicant entering infor- 

which are verified in different ways by the same machine. mation into the machine in a pre-arranged manner when the 

Several people may have the same type of authorization machine is in the appropriate state to receive it Once the 

verified in the same way; in this case the machine identifies 35 machine has received the information it may be checked 

people in the sense of identifying them as members of a automatically. Information may be entered into a machine by 

particular group. setting dials (as in a combination lock), pressing keys on a 

A person who attempts to provide evidence of identity, keyboard, moving a pointing device, speaking into a 

whether falsely or not, will hereafter be referred to as an w microphone, or by other methods, 

'applicant'. An authorized person who has made arrange- It may be necessary for an applicant to enter several 

ments to give evidence of identity in a certain manner will different items of information into the machine. In that case 

hereafter be referred to as a 'user*. An applicant who it is useful for the machine to indicate to the applicant what 

attempts to impersonate a user, or a person who attempts to type of information it is ready to receive next In identifying 

discover how to impersonate a user will hereafter be referred 45 an applicant, therefore, the machine repeatedly displays an 

to as an 'interloper'. 'Recognition method' will hereafter indication of its state and then receives information entered 

refer to a method of machine verification of identity or by the applicant, until finally enough information has been 

authorization. received for the machine to decide whether the identification 

There are three categories of recognition method which attempt should succeed or faiL The sequence of state- 
can be differentiated by me type of evidence of identity used, so indications and entries of information may vary according to 
Recognition may be by means of some characteristic physi- ihc information entered, and it may admit of a number of 
cal feature of users, or by means of some distinctive object alternatives, and may also be varied from occasion to 
in each user's possession, or by means of particular infor- occasion. 

mation that each user keeps confidential. A sequence of state-indications and entries of information 

A number of physical features have been used or sug- 55 that results in the machine identifying an applicant as a bona 

gested for use in machine recognition: for example voice, fide uscr wlU hercafter * ***** a P 10 ^ 01 ■ 

hand-geometry, fingerprints, or even the pattern of blood 111 other words, the machine identifies an applicant as a 

vessels on the retina. However, recognition by means of user ^ tf a P*** 000 * h successfully followed, 

distinctive physical features has two serious drawbacks. The There are at least three previously known information 

first is that the necessary apparatus must be dedicated to the 60 based recognition methods: the 'password* method; the 

task of recognition, and this apparatus is usually expensive. 'private function* method; and the 'personal question 1 

The second drawback is much more serious. The physical method. 

characteristics of a person are constant and cannot be In the password method, the confidential information on 

changed at will, if an interloper should succeed in counter- which recognition depends is a password, which is usually 
feitingthe necessary physical characteristics of a user so that 65 a sequence of alphanumeric characters, 

the interloper is identified as the user by the machine, then The simplest form of password method is one in which a 

there is no way of ending the breach of security other than single password alone can be used to gain access to a facility. 
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Ad example of such a system is a bicycle combination lode to recall his current password because the memory of it is 
knowledge of the combination alone enables a person to confused with memories of many previous passwords. This 
open the lock. Authorized users of the facility are told or memory confusion has a simple cause: a user must recall the 
shown the password, and they are instructed to keep it new password under almost exactly the same conditions 
confidential. All users use the same password. To gain 5 uno \er wn i cn he had to recall the old passwords. In the 
access, a user simply enters the password when the machine password method the machine prompts the user for the 
is in a state of waiting for a user to identify himself. password in a standard manner: "Enter Password:" for 
A more complex type of password system can enable a example, and this prompt does not change when the pass- 
machine to identify and to distinguish between a number of word is changed. 

different users or types of user. Each user or type of user has in A u ~ . , t4 . ^ 

their ownpassword which is kept confidential not only from 10 Anoto reason why users find passwords difficult to 

non-users but also from other users. remember is that they may need to remember a number of 

If no two users have the same password then it is possible w ™*> passwords to identify themselves to different 

to arrange for the machine to identify any user siir^ly by the Passwords for different machines may then 

password entered. However, this arrangement has the dis- become confused in users minds, 

advantage that that if there are many users the chance that an If a user forgets his password then the machine is unable 

interloper 1 s guess could correspond to the password of some to identify hint The user must then contact an administrator 

user could become unacceptably high. of the machine who is authorized to issue users with new 

A better and widely used system is for users to identify passwords. The procedure for assigning a new password to 
themselves to the machine in two stages: the making of an a user who has forgotten his old one is a potential security 
'identity claim* (a claim to be a particular user); and the 20 risk because the user must use some other method of 
entering of a password. The machine accepts an applicant's identifying himself to the administrator. An interloper, 
claim to be a particular user if the applicant enters the therefore, could impersonate a user and obtain a new pass- 
password allocated to that user. In this system, users* word by this route. In addition, the inconvenience that 
passwords are not in general the same, but they are not results when users forget their passwords is an incentive for 
necessarily all different. 25 them to write their passwords down. 

In the case of automatic cash-dispensing machines an A further source of insecurity is that an interloper can 

applicant makes an identity claim by inserting a card; the discover a user's password simply by observing the user 

applicant must then confirm the claim by entering the entering the password during the identification protocol, 

personal identification number (PIN) of the authorized user With a computer system, users enter their passwords on the 

of the card. In the case of multi-user computer systems an 30 exposed keyboard of a computer terminal and an interloper 

applicant makes an identity claim by entering a 'user- only needs to watch the user's hands as the password is 

identifier*, which is usually a shortened form of a user's being entered. 

name. User-identifiers are not usually highly confidential. To ft f s a weakness of the password method that an interloper 

confirm the claim the applicant must then enter the user's ^ neeo « on i y observe a user's identification protocol on one 

password. occasion to be able to impersonate the user successfully. 

A password system is secure if all users keep their All the disadvantages of the password method that have 

passwords confidential, and if passwords are hard for inter- been mentioned are dramatically alleviated by the present 

lopers to guess. The surest way for a user to keep his invention. 

password confidential is to memorize it, not to write it down, ^ fu nctioD * method j^s been suggested but 

not to communicate it to anyone, and to avoid having other se idora, if ever, used. In the protocol the user makes an 

people observe the entry of the password. In addition, idenu^ claim in the same way as with the password method, 

passwords should be changed frequently so that any breach ^stead of a password each user is allocated a mathematical 

of security is of limited duration. function, such as one defined by f(x)=2x+5. Instead of a 

But password systems are not in general secure. The main 45 prompt such as "Enter password: *\ the user is prompted by 

reason for this is that people find passwords hard to memo- the display of a number. The number displayed is in general 

rize and to recall. This difficulty causes a variety of prob- different on different occasions. The user must then apply the 

^ emSi function to the number (preferably using mental 

Passwords are either automatically generated, or else each calculation), and then he must enter the result into the 

user secretly chooses his or her own password. Automati- 50 machine. If the number entered by the applicant is the actual 

cally generated passwords may be random numbers, or they result of applying the function to the number given as the 

may be randomly constructed nonsense words such as prompt, then the machine accepts the applicant's identity 

PEGW1Z or SUDBAT, which are marginally easier to claim. 

remember. Xh e so j e advantage of this method is that it is not possible 

Automatically generated passwords are chosen in an 55 to ascertain a user's private function by observing, in full, a 

arbitrary manner from a large number of possible small number of protocols, because there would be many 

alternatives, so they are certainly hard for interlopers to possible functions that would yield the same results for the 

guess. But users find them difficult to remember, so they numbers presented. However, few people are happy to 

usually write them down. remember mathematical functions, and performing mental 

Conversely, if users secretly choose their passwords they 60 arithmetic is tiresome, 

will often choose passwords that are easy for them to The *personal question' method has been used. Each user 

remember, but which are also easy for interlopers to guess. is allocated a number of lughly personal questions. When the 

Users will often choose passwords that have some personal questions are allocated the user provides answers to the 

significance, and their colleagues may find such passwords questions. These answers are stored, usually in encrypted 

easy to guess. 65 form, in the machine. Examples of possible questions are 

Moreover, the more frequently passwords are changed the "What is your mother's birthday?" or "What is the name of 

more difficult they are to recall. A user may find it difficult your dog?". During the protocol, the machine displays one 
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or more of the questions allocated to a user and the user allocated, he will almost certainly remember a sufficient 

enters answers to the questions. The answers given are number of them for him to be positively identified. There 

automatically checked against the answers stored in the should, therefore, be little temptation for users to writedown 

machine. If an applicant answers sufficient of the questions the cue-response pairs they have been allocated, and occa- 

correctly the machine accepts the applicant's identity claim. 5 sions on which the user forgets so many cue-response pairs 

One advantage of this method is that users are unlikely to mat me machine cannot positively identify him should be 

forget answers to such questions. On the other hand, rare. A further advantage is that each time a user is identified 

acquaintances of the user may also know the answers, or a different selection of his cue-response pairs may be 

they may be able to discover them. Another disadvantage is presented, and in a different order. An interloper would 

that people may find it annoying to be repeatedly asked w therefore have to observe several protocols and would have 

personal questions to identify themselves to a machine. to note a number of cue-response pairs to be sure of being 

able to impersonate a user. 

SUBJECTS OF THE INVENTION Embodiments of the invention will now be described by 

No previously suggested recognition method based on wav of ^amP 1 * 5 onl y. 

protocols is entirely satisfactory. The present invention ° ne embodiment of the invention is as a multi-user 

provides arecognition method with which the distinguishing computer system programmed so that an applicant's access 

information is both automatically generated and easy for t0 computational facilities and stored information is condi- 

usexs to remember. With the invention it is difficult for tional on the computer system verifying the applicant's 

interlopers to discover the distmguishing information by identity as one of the authorised users, 

observing protocols. A further advantage is that the machine In one form of the invention the cues and the responses 

can still identify a user even if he has forgotten part of the are words or phrases. A set of possible cues, referred to 

distinguishing information. As a consequence, the present hereafter as the cue-set, and a set of possible responses, 

invention is inherently far more secure than the protocol referred to hereafter as the response-set, are stored in the 

methods suggested previously. In many applications, the machine. A cue-response pair is generated by the automatic 

present invention could replace recognition methods based selection of a cue from the cue-set and a response from the 

on physical characteristics or distinctive objects. response-set 

The cue-set and the response-set should be constructed in 

SUMMARY OF THE INVENTION such a way mat it is ea Sy for a user to remember an 

The present invention provides a recognition method 30 association between any member of the cue-set and any 

comprising a method of automatically generating distin- member of the response-set. That is, any cue-response pair 

guishing information, and of allocating the distinguishing constructed by taking a cue from the cue-set and a response 

information to users, and a method of subsequently identi- from the response-set should be easy for users to memorize, 

fying users by means of a protocol in which the user enters Such associations are easy to memorize if the cue-set and 

the distinguishing information into the machine. The distin- 35 the response-set are collections of imageable words or 

guishing information is in the form of an association phrases. (The cue-set and the response-set may overlap.) Jt 

between a cue and a response; such an association will is well known in the field of cognitive psychology that 

hereafter be referred to as a 'cue-response pair \ At least one associations between imageable words are easy to commit to 

automatically generated cue-response pair is allocated to memory and easy to recall. Many such associations may be 

each user. Subseq uent iden tification of an_applicant^as-a 40 committed to memory without confusion between mem 

particular user irbyj:means=of-a-protocol^m^the course of provided that the cues are all different 

wMdT^fielnaBto^ to the~applicant the cues from An imageable word, phrase, or sentence is one that can be 

one or more cue-response pairs allocated the the said user. readily associated with a characteristic image. Examples of 

TWmachine accepts from^e appUcantale^7oreacrrcue imageable words and phrases are: 'wolf', 'castle', 'brown 

presented. The rractmie identmeTme apph^ 45 sugar* f 'clown', 'bolt of lightning', 'Statue of liberty', 

the applicant-gives correct repUesto~a~suffident-number of Examples of words and phrases that are not readily image- 

the cucs-r^entedr^a-correct reply to ' a cue"being^the able are: 'notify', 'remote*, 'errand*, 'contrary', 'secular' , 

response paired with the cue ma cue^response pair allocated 'moment*, "reason for belief. Imageability is to a certain 
itojhejascr. JIhe-number-of- cues presented in the course of a^ 1 extent a subjective property, and it is also a matter of degree, 

protocol may be fixed or variable. The number of correct 50 Nevertheless it is possible to find many words and phrases 

replies that the riuichiae requires for the acceptance of an that would be generally accepted as highly imageable. 

apptf cant's identiryxlaim may beftted, oritrmyMvSabl e Methods of constructing sets of linguistic expressions that 

and it may depend on the number of incorrect replies given are generally judged to be highly imageable will now be 

by the applicant in the course of the. protocol. described. 

TyrcpiTccT/-\*j rya TiTP 55 expressions in the cue-set and the response- 

J^T, , .^.:fl!vr^ set should be ones that the intended users of the machine 

PREFERRED EMBODIMENTS should generally find highly imageable. Whether users will 

The main advantage of the present invention over the find a given linguistic expression highly imageable depends 

'password method* is that human memory for associations upon the users* cultural backgrounds and on the languages 

between cue-response pairs, particularly imageable cue- 60 or dialects that they speak. It is not possible, therefore, to 

response pairs, is durable and reliable. When the cue from a give definitive lists of cues and responses that would be 

previously memorized cue-response pair is presented it acts suitable for any group of users now and in the future. It is, 

as a powerful mnemonic aid for the recall of the response. however, possible to construct lists of linguistic expressions 

Furthermore each authorized user can be allocated a number that will be readily imageable for a group of users by 

of different cue-response pairs which together constitute a 65 selecting expressions according to the following criteria, 

large amount of distinguishing information. Even if a user First, for a user to find an expression imageable, the user 

cannot remember all cue-response pairs he has been must have a clear conception of its meaning. For example, 
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the word 'sextant* would not be readily imageable to a picture of the meaning of the expression. The judgements 

person who did not know the word, or to a person who knew could be expressed on a scale from 1 to 5, with 1 meaning 

what a sextant was for but who did not know what one difficult to picture and 5 meaning easy to picture. The 

looked like. 'Sextant* would, however, be highly imageable judgements of the people selected should then be analysed 

for an English-speaking navigator. 5 using techniques that are well known in psychology, and 

Secondly, the following categories of words and phrases "^ ose expressions that the selected people generally agreed 

will be found to be imageable: were imageable may then be regarded as being imageable. 

names and descriptions of well-known physical objects, # ^ intended users of the machine are linguistically and 
such as 'car*, 'table', 'fork', 'light-house*, 'glass of beer'; culturally heterogeneous, then it may be necessary to corn- 
words and phrases that describe people, animals, or 10 various coUections of imageable terms for different 
plants, such as 'clown*, 'baby 1 , 'cat*, 'giraffe', 'rose\ 'sol- subgroups of intended users. 

dier* ; The cue-set and the response-set may then be constructed 

propernamesofweUknown(rx>ssiblyfictional)peoplear in lowing way. Both sets should be coUections of 

places, such as 'Sherlock Holmes', 'Venice', The Eiffel 15 imageable expressions. 

Tower** *~ ues Sft0U ld ^ unambiguous and specific. For example, 

names or descriptions of perceivable attributes, such as f mou g h is highly imageable, it is not very suitable 

'purple* 'sticky* *crunchy'* for use as a cue 06031156 ^ * s ambiguous in the sense that it 

. 1 . ^. * . „ « t4r , can refer either to a type of stone or to a small glass ball. This 

t names or descriptions of substances, such as tar , ^ could le £ t0 in reca] ^ a response 

c se * e 1 20 associated with 'marble* because the user might memorize 

names or descriptions of physical processes or actions, me association when thinking of the type of stone, and 

such as *run\ 'running', 'grind', 'grilling meat', 'breaking subsequently when 'marble* was presented alone as a cue the 

8* ass ! user might interpret it in the other sense and try in vain to 

names or descriptions of perceivable events, such as recall a response associated with an image of a small glass 

'sunset', 'Cup Final*, 'a soldier salutes', *a foggy morning 25 ball. 

in autumn with leaves on the ground', 'the boy stood on the Some examples of expressions suitable for use as cues 

burning deck*. are: 'armchair*, 'pine-tree', 'mackerel', 'snow on a moun- 

These categories are not mutually exclusive. The majority tain top*, 

of imageable terms are descriptions of physical entities, in Suitable responses may be chosen as follows. Responses 

the sense that they describe or refer to objects, people, 30 should be imageable. They should be short, so that they can 

animals, plants, or substances, and the entity may be further be entered into the machine quickly. They should be easy to 

specified as being involved in some action, event, or process, S pell ( 'giraffe* would not be a good response). They should 

as in the imageable expressions 'a soldier salutes*, 'burning be common terms, so that they can easily be recalled, 

straw*, 'spUt milk', 'the tiger springs*. Single words such as 35 Ambiguity does not matter. There should not be other, 

'sea', 'moon*, 'ship', 'dungeon* may also be termed descrip- equally common short terms that are similar in meaning, 

tions of physical entities, whether the entity referred to is because if a common synonym of a response exists, it may 

unique, as in 'sun', or general as in 'ship'. be substituted for the original response on recall. For 

A third criterion for imageability is that a word should not example, 'road* , 'lane*, and 'street' are too similar in mean- 
be too general in meaning. For example 'dwelling*, ing for any of them to be suitable for inclusion in a 
'furniture*, 'cutlery*, 'employee*, and 'animal' are less response-set 'Carrot', however, is a word without a close 
readily imageable than 'bungalow', 'chair*, 'knife*, synonym, and it is very suitable for use as a response, 
'salesman' , and 'rabbit' respectively. A general term may not Some examples of terms suitable for use as responses are: 
be highly imageable if its referents cannot be distinguished « e gg\ *cup\ 'pen*, 'rat*, 'eye*, 'woman*, 'chair', 'water', 
according to some sirnilarities of appearance. 45 'moon', 'fish', 'rose', 'fork*. 

The three criteria far imageability given above should be Jt is possible to form a collection of more than 1000 words 

sufficient to ensure that an expression that satisfies the suitable for use as responses by users who are native 

criteria should be found to be imageable by most intended speakers of English. 

users. However, if during the construction of a set of ^ is well known that people find it easy to remember an 

imageable expressions it is found that the criteria are difficult 50 association between a cue and a response if the cue and the 

to apply with precision, then an additional method of select- response are imageable expressions. Users should be 

ing those words that are readily imageable for the intended instructed to commit the association to memory either by 

users is as follows. ^ constructing a mental image in which the cue and the 

^A^r^^om sampleof the intended users of themch^e^or response interact, or else by making up a sentence that 

a ran^>m sample of people_of similar educational and 55 contains both the cue and the response and which connects 

cultural^ a tfa^l^ound^ should~be them. An association between imageable words or expres- 

Cselected. The people selected' should also speak the same sions is memorable even if there is no conventional or 

dialects-of^the same languages as the intended users. A plausible association between them, 

collection of well-known words in the dialects spoken by the For example, to memorize an association between 'wolf* 

intended users should be selected according to the three 60 and 'crown*, a person might imagine a wolfuearing a crown, 

criteria given above, and the sample of people should be or else the person might make up a sentence such as 'the 

asked to Judge how imageable each word in the collection wolf is wearing the crown*. The image or sentence by which 

is. the association is committed to memory may be mundane or 

Judgements of the degree of imageability of the words bizarre. The sentence or mental image that a person uses to 

and expressions may be elicited in the following way. Each 65 commit an association to memory does not itself have to be 

person should be given a list of the expressions, and should remembered: the act of constructing a mental image or of 

be asked to give a judgement as to how easy it is to form a making up a sentence only serves to help commit the 
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association to memory. This mnemonic phenomenon has (-impose ,a4ower, and^ possibly also an upperclirdt-on^the 

been known since antiquity, and has been studied by psy- numSerof cwerresponse palr^tfiat^ybe current for a u§er. 

chologists. It is important that no two cue-response pairs current for 

An association is committed to memory in the sense that, a user should have the same cue. To maintain the mnemonic 

if the cue is subsequently presented, then the response may 5 effect of cues, it is also preferable that an interval of time 

be easily be recalled. For example, suppose a person has should elapse between the discard of a cue-response pair and 

committed to memory an association between *wolF and the allocation of another cue-response pair with the same 

'crown*. If, subsequently, the the person is asked to recall cue. 

the word associated with 'wolf \ then the word 'crown' can An applicant's identity is verified by means of an infar- 

be easily recalled, provided that associations between *wolf * 10 mation exchange protocol. As with the password system the 

and other responses have not also been committed to machine indicates that the applicant may make, an identity 

memory in the same manner. claim. The applicant then claims to be a particular user by 

A cue-response pair, once generated, is allocated to a user entering that user' s user-identifier, or by inserting a magnetic 

by displaying the cue and the response to the user. This may card, or by other means. 

be done, for example, by means of an automatically printed 15 The machine then selects one or more cue-response pairs 

slip of paper delivered confidentially to the user, or by that are current for the named user, and the machine then 

displaying the cue and the response on the terminal screen, verifies the applicant's knowledge of these cue-response 

on the user's demand. pairs. The machine verifies the applicant's knowledge of a 

An alternative method of automatically generating and cue-response pair by displaying the cue to the applicant, then 

allocating cue-response pairs is as follows. A response-set is accepting a reply from the applicant, and then automatically 

held in the machine, as before, but a cue-set is not held. comparing the reply with the response An the cue-response 

When a cue-response pair is to be generated for a user, the P 3 ^* 

user makes up a cue and enters it into the machine, and the For example, if a current cue-response pair for the user is 

machine automatically selects a response from the response- „ 4 daffodil-fish', then the machine may select this pair and 

set and presents it to the user. would then display an indication such as *Enter the response 

It is preferable to provide a facility for the user to be able for daffodil: \ or simply 'daffodil'. ITiis is an indication that 

to signify whether he wishes to accept or reject the cue- applicant should then enter *fish'. 

response pair being allocated. If the user signifies that he An alternative form of indication is for the machine to 

accepts the cue-response pair, then a record of an association 30 display a message such as 'Press a key to see the cue and 

between the user, the cue, and the response, hereafter then enter the response'. The applicant should then press a 

referred to as a user-cue-response record, is held by the key, upon which event the machine displays the cue. The 

macliine machine may display the cue either for a period determined 

Once a cue-response pair has been allocated to a user it * *f «Hf cant (e.g. for as long as the applicant holds the 

becomes one of the user's 'current' cue-response pairs, a 35 01 f " a ** ed P 010 ? < e * ° ne ^ 

cue-response pair that is current for a user being one that has <*J*™»**g ^e cue on demand has the advantage 

been allocated to the user and which may be used during ,*« »» ^ult for an interloper to see both the 

subsequent verification of an applicant's identity as the user. <=ue displayed and the reply entered during a protocol. If 

_ ^ „ . „ each user has several current cue-response pairs then an 

To prevent each user s collection of current cue-response interl needs to know which cues are paired with which 

pairs from growing without limit as more cue-response pairs <° responses ^ OTder to impersonate a user. If cues are dis- 

are allocated it is necessary for some of a tuBrt current { ^ onl briefl ^ on demajMl durin piotoool _ th en it 

cue-response pairs to be periodically discarded . Once a fa for an mto loper to acqulre ^ knowledge by 

cue-response pair current for a user has been discarded it is casual observatlon ^ a wer identifying himself to foe 

not used subsequently to verify the identity of mat user machine 

eX aU P cied e "ain k to Iy th Ve s^ a lst C CUe " reSp0nSC 45 The cue may be displayed as a pictorial image. The 

is oc again o e same user. machine verifies the applicant's reply to each cue presented 

Various arrangements are possible for regulating the alio- during the protocol, 

cation and discard of cue-response pairs. The simplest verification method is for the machine to 

The allocation of cue-response pairs may be regulated 5Q determine whether the reply is identical to the response in 

automatically by the machine or it may be under the control the appropriate user-cue-response record. With this method, 

of users. One possible form of automatic regulation would verification has only two possible outcomes: success, if the 

be for the machine to initiate the allocation of new cue- re piy and response are identical; and failure otherwise, 

response pairs to users after fixed intervals of time, or else A disadvantage of this simple verification method is that 

after a fixed number of verifications of a user's identity. 55 users m p 0ne> to worc i s ma t are related in 

Alternatively, or in addition, a facility may be provided for meaning to the correct responses; users remember the 

the user to request the allocation ofa new cue-response pair. imageable meaning of a response, and not necessarily the 

^Similariy fte^ cue^sponse pairs may becon- exact word used to convey that meaning. For example, if the 

troUed^bytf^ be correct response is 'stone* then a user might give the reply 

provided f cr to*^^ 60 'rock' ; and 'trout* or 'fish* might be substituted for * salmon \ 

cuel^spon^paiiv^^^ Although such replies are not identical to the correct 

to discard ^certain- of ~me~jwiirs ^Alternatively, it may -be responses, they do provide some evidence that the applicant 

an^gedXorftelnachine to discard a cue-response pair after was exposed to the cue-response pair. By taking account of 

a fixej gh-terad these partially correct replies, it is possible to identify users 

n^^er^rtimes^_ 65 more reliably and with shorter protocols. 

{^allocation or discard of cue-response pairs is at the Partially correct replies may be assessed by providing a 

[user's discre tion then it may be necessary for the machinb to stored table of the probable replies that users may give for 
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each response. For example, the probable replies for the mechanical rotation of one or more dials so as to display one 

response 'road' are 'street* 'lane', and 'road* itself. For each or more symbols constituting the cue. The user is then 

response, each reply is associated with numeric score. The required to rotate the dial or dials to another symbol or 

stored information that is needed consists, therefore, of symbols so as to indicate the correct response, 

response-reply-score records, each of which associates a 5 

response, a possible reply, and the score. The number of BRIEF DESCRIPTION OF THE DRAWINGS 

possible replies is, of course, very large, and it is impractical ^ example of a method according to the invention will 

and unnecessary to store scores for all possible replies to nQW fce described ^ reference to me accompanying 

each response. It is only necessary to store explicit response- Hrawines in which* 

reply-score records for a small number of the most probable in V. , , , ' 

replies, and also to store a default score, for each response, 10 FIG. 1 is a block diagram of apparatus for carrying out the 

which is the score given to replies other than the most method; 

probable replies for which records are kept, FIG. 2 is a flow diagram illustrating operation of the 

The score for a reply is computed as follows. Let the apparatus in FIG. 1, and, 

correct response be S., and let the applicant enter a reply R. FIG. 3 is a flow diagram illustrating the generation and 

If a response-reply-score record is held for the response S 15 allocation of cue-response pairs, 
and the reply R, then the score is that specified in the record. 

If no response-reply-score record is held for S and R, then DETAILED DESCRIPTION OF THE 

the score is the default score for S. PREFERRED EMBODIMENTS 

Various criteria for choosing the numeric values of the 2Q The apparatus shown in FIG. 1 comprises an input device 

scares are possible. All reasonable criteria have two prop- 1 such as a keyboard which is connected to a processor 2 

erties. First, replies that are commonly substituted far a which, in turn, is connected to a monitor 3. The processor 2 

response should have high scores for that response, and is connected to a store 4 which may be local to the processor 

. replies that are rarely substituted for that response should or remote and connected thereto by a telephone line or the 

have low scores for that response. Second, a reply that may 25 like. The processor 2 generates an output signal on a line S 

commonly be substituted for many responses end, in in accordance with whether or not a user of the input device 

particular, for response S, should have a lower score far has been verified. 

response S than another reply, equally likely to be substi- The store 4 holds a set of user-cue-response records (ucr) 

tuted for S, but which is rarely substituted for any response for each valid user of the system. Each ucr record has four 

other than S. 30 fields: 

In the course of an identification protocol, the machine userid: the userid of the user 

may test the applicant's knowledge of more than one cue- ^ cat 

response pair. After the applicant has made his identity response- the response 

claim, the machine may select a sequence of cue-response ±> , , . . , . 

pairs current for the (claimed) user, and it may test the 35 n - uses: *e number of times that this record has been 

applicant's knowledge of each cue-response pair in turn, in used dunn 8 identification protocols, 

the manner already described. As each cue-response pair is The processor 2 also has preset two parameters, namely 

tested, the machine keeps a record of the number of cue- max_challenges: the maximum number of cues that can be 

response pairs tested and the total score obtained so far. If presented in the course of an identification protocol, 

the sample verification method is used, the machine keeps a ^ threshold! n]: threshold[n] is denned for n such that 

count of the number of successful verifications, instead of l^n^max__challenges. 0^threshold[n]^n. threshold[n] is 

the total score. the minimum number of correct replies required for identi- 

The machine accepts or rejects the applicant's identity fication to succeed after n cues have been presented, 

claim according to whether the applicant's total score (or Initially, the CPU 2 causes the monitor 3 to request a 

total number of correct replies) rises above an acceptance 45 userid from an applicant (step 10, FIG. 1) and the applicant 

threshold or falls below a rejection threshold. The levels of enters his userid via the input device 1. The processor 2 men 

the acceptance and rejection thresholds may vary as a retrieves from the store 4 all ucr records whose userid field 

function of the number of cue-response pairs tested so far. matches the entered userid (step 11). The processor 2 then 

For example, the acceptance and rejection thresholds could shuffles the retrieved list to random order (step 12) and sets 

be set so that, with the simple verification method, the 50 variable n to 1 and variable c to 0 (step 13). 

iriachine would accept the applicant* s identity claim only if The processor 2 then enters a loop in which in the step 14 

both of the first two replies were correct, or three out of the it determines whether the nth ucr record exists and if it does 

first four replies were correct, or four out of the first six not the processor 2 indicates on the line 5 that the identifi- 

replies were correct, otherwise the identity claim would be cation has failed (step IS). If the record does exist, the 

rejected. 55 processor 2 then displays the cue corresponding to the nth 

An alternative method of testing an applicant's knowl- record on the monitor (step 16). The applicant enters a reply 

edge of several cue-response pairs is to present several cues to the cue via the input device 1 and the processor 2 

simultaneously. The applicant should then respond by enter- compares the entered reply with the response in the ucr 

ing (the corres ponding responses in the-corre ct order. record (step 17). If the reply and response match the variable 

A.deyice to verif^me^ntitie^r^^ c is incremented by 1 (step 18). In addition, the n_uses field 

^manner^ already described ~couM~beiconstructe<l~using-a of the ucr record is incremented by 1 (step 19). 

c^pffer^wI&ra^ke ybolSd and a dis p1ay_screen, pro- In a step 20 the current value of variable c is compared 

grammed to~perfonn~tr^ runctions^^ with the preset threshold [n] and if it is greater than or equal 

prograinr^ng-could^readily be accomplished rby^those to that threshold the identification succeeds and a suitable 

skiUedm thwart and^femiliarwith^urre^ password systems. 55 signal is output on the line 5. 

The present invention may also be applied to a combina- If c is less than the threshold [n] then the processor in a 

tion lock in which the insertion of a card causes the step 21 compares the current value n with the preset max_ 
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challenges. If n is greater than or equal to max_challenges 
then the identification fails but otherwise n is incremented 
by 1 (step 22) and processing returns to step 14. 

FIG. 3 illustrates the operation of the system when a new 
cue-response pair is to be set up. Initially, a parameter 
n_records is set up representing a number of ucr-records to 
be stored for each user. 

When a user indicates that he wishes to add a new 
ucr_record to his list, he enters his userid and the processor 

2 retrieves a list of ucr_records for the user from the store 
4 (step 30). The processor 2 then checks to see whether the 
current number of records in the list is less than the param- 
eter n_records (step 31) and if it is not asks the user if he 
wishes to choose a new ucr_record (step 32). If he does not, 
the process stops. If the user does wish to choose a new 
ucr__record or me numiber^ fyecords is less than n_records, 
the processor 2 randomly selects a cue from a cu elfile inrthe 
store 4 (step 33).~Tfeprpcessor checks to see whether the 
cue already occurs as a cue or response in any of the users 
ucr_j:ecords (step 34) and if it does then selects a further 
cue. If it does not, the processor then randomly selects a 
response from the response file in the store 4 (step 35) and 
the selected cue and response are displayed on the monitor 

3 (step 26). 

The processor then requests the user to indicate whether 
or not he accepts the new cue-response pair (step 37) and if 
he does not, the process stops. If he does accept the 
cue-response pair, a new ucr_jecord is formed (step 38). If 
the number of ucrjecords already in the list is greater than 
or equal to the parameter n_j:ecords then one of the ucr__ 
records is deleted (step 39) and a new ucr_record added 
(step 40). If the number of ucr_j*ecords now stored is less 
than n_records processing returns to step 32 but otherwise 
processing stops (step 41). 

I claim: 

1. In a system for verifying an individual user's identity 
by machine, a system for generating cue and response 
expressions to be used for identifying a specific individual 
user, said system comprising: 
storage means for storing a plurality of predetermined cue 

and response expressions; 
selection means for automatically selecting a cue and a 

response expression from the storage means; 
means for displaying the selected cue-response pair to the 
user; and 
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means for recording the selected cue-response pair as 
assigned to said user far use in verifying said user's 
identity on subsequent occasions. 

2. -The-systeniof claim 1 wherein said selection means 
5 -randomly selects ~Ae z cue^e^ 

expression from different stored sets of^ecSermined 
expressions. ^ 

3. The system of claim 2 wherein said selection means 
selects the cue expression for a new cue-response pair that 
is different from the cue expressions in all other cue- 
response pairs currently allocated to that user at that time. 

4. The system of claim 1 wherein said selection means 
automatically selects a response expression after a cue 
expression is entered by the user. 

5. The system of claim 1, further comprising: 

15 means for verifying the user's identity on subsequent 
occasions by presenting the cue expressions from the 
recorded cue-response pair assigned to the user, and 
comparing the response expression entered by the user 
with the response expression of the recorded cue- 

20 response pair. 

6. The system of claim 5 wherein said verifying means 
presents a number of cue expressions to the user during 
verification of the user's identity dependent on the number 
v of incorrect response expressions entered by the individual 

25 7. The system of claim 6 wherein said verifying means 
presents each cue expression only on the user's demand. 

8. The system of claim 6 wherein said verify means 
presents each cue expression for a constant period of time. 

9. The system of claim 6 wherein said verifying means 
30 presents each cue expression only during a period the user 

is pressing a key. 

10. The system of claim 1 wherein the stored cue expres- 
sions consist of imageable words, phrases, or sentences. 

11. The system of claim 1 wherein the stored cue expres- 
35 sions are descriptions of physical entities. 

12. The system of claim 1 wherein the stored cue expres- 
sions are pictorial images. 

13. The system of claim 1 or 10, wherein the stored 
response expressions consist of imageable words, phrases, 

40 or sentences. 

14. The system of claim U or 12, wherein the stored 
response expressions are descriptions of physical entities. 

15. The system of claim 1, wherein the stored response 
expressions are pictorial images. 

45 

***** 
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